File expat.spec of Package expat.26155

#
# spec file for package expat
#
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via http://bugs.opensuse.org/
#


%global do_profiling 0
%global unversion 2_2_5
Name:           expat
Version:        2.2.5
Release:        0
Summary:        XML Parser Toolkit
License:        MIT
Group:          Development/Libraries/C and C++
Url:            https://libexpat.github.io
Source0:        https://github.com/libexpat/libexpat/releases/download/R_%{unversion}/expat-%{version}.tar.bz2
Source1:        %{name}faq.html
Source2:        baselibs.conf
# PATCH-FIX-UPSTREAM bsc#1139937 CVE-2018-20843 pmonrealgonzalez@suse.com -- Fix extraction of namespace prefixes from XML names
Patch0:         %{name}-CVE-2018-20843.patch
# PATCH-FIX-UPSTREAM bsc#1149429 CVE-2019-15903 crafted XML input results in heap-based buffer over-read
Patch1:         %{name}-CVE-2019-15903.patch
Patch2:         %{name}-CVE-2019-15903-tests.patch
# PATCH-FIX-UPSTREAM bsc#1194251 CVE-2021-45960 a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior
# - https://github.com/libexpat/libexpat/pull/534/commits/0adcb34c49bee5b19bd29b16a578c510c23597ea
Patch3:         %{name}-CVE-2021-45960.patch
# PATCH-FIX-UPSTREAM bsc#1194362 CVE-2021-46143 integer overflow exists for m_groupSize in doProlog
# - https://github.com/libexpat/libexpat/pull/538/commits/85ae9a2d7d0e9358f356b33977b842df8ebaec2b
Patch4:         %{name}-CVE-2021-46143.patch
# PATCH-FIX-UPSTREAM bsc#1194474 CVE-2022-22822 integer overflow in addBinding in xmlparse.c
# - https://github.com/libexpat/libexpat/pull/539/commits/9f93e8036e842329863bf20395b8fb8f73834d9e
Patch5:         %{name}-CVE-2022-22822.patch
# PATCH-FIX-UPSTREAM bsc#1194476 CVE-2022-22823 integer overflow in build_model in xmlparse.c
# - https://github.com/libexpat/libexpat/pull/539/commits/9f93e8036e842329863bf20395b8fb8f73834d9e
Patch6:         %{name}-CVE-2022-22823.patch
# PATCH-FIX-UPSTREAM bsc#1194477 CVE-2022-22824 integer overflow in defineAttribute in xmlparse.c
# - https://github.com/libexpat/libexpat/pull/539/commits/9f93e8036e842329863bf20395b8fb8f73834d9e
Patch7:         %{name}-CVE-2022-22824.patch
# PATCH-FIX-UPSTREAM bsc#1194478 CVE-2022-22825 integer overflow in lookup in xmlparse.c
# - https://github.com/libexpat/libexpat/pull/539/commits/9f93e8036e842329863bf20395b8fb8f73834d9e
Patch8:         %{name}-CVE-2022-22825.patch
# PATCH-FIX-UPSTREAM bsc#1194479 CVE-2022-22826 integer overflow in nextScaffoldPart in xmlparse.c
# - https://github.com/libexpat/libexpat/pull/539/commits/9f93e8036e842329863bf20395b8fb8f73834d9e 
Patch9:         %{name}-CVE-2022-22826.patch
# PATCH-FIX-UPSTREAM bsc#1194480 CVE-2022-22827 integer overflow in storeAtts in xmlparse.c
# - https://github.com/libexpat/libexpat/pull/539/commits/9f93e8036e842329863bf20395b8fb8f73834d9e
Patch10:        %{name}-CVE-2022-22827.patch
# PATCH-FIX-UPSTREAM bsc#1195054 CVE-2022-23852 Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES
# - https://github.com/libexpat/libexpat/pull/550/commits/847a645152f5ebc10ac63b74b604d0c1a79fae40
# - https://github.com/libexpat/libexpat/pull/550/commits/acf956f14bf79a5e6383a969aaffec98bfbc2e44
Patch11:        %{name}-CVE-2022-23852.patch
# PATCH-FIX-UPSTREAM bsc#1195217 CVE-2022-23990: expat: integer overflow in the doProlog function
# - https://github.com/libexpat/libexpat/pull/551/commits/ede41d1e186ed2aba88a06e84cac839b770af3a1
Patch12:        %{name}-CVE-2022-23990.patch
# Stack exhaustion in build_model() via uncontrolled recursion
# UPSTREAM-FIX: (CVE-2022-25313, bsc#1196168) https://github.com/libexpat/libexpat/pull/558
Patch13:        %{name}-CVE-2022-25313.patch
# UPSTREAM-FIX: (CVE-2022-25313) Fix for patch as it introduced a regression: https://github.com/libexpat/libexpat/pull/566
Patch14:         %{name}-CVE-2022-25313-fix-regression.patch
# Integer overflow in storeRawNames
# UPSTREAM-FIX: (CVE-2022-25315, bsc#1196171) https://github.com/libexpat/libexpat/pull/559
Patch15:        %{name}-CVE-2022-25315.patch
# Integer overflow in copyString
# UPSTREAM-FIX: (CVE-2022-25314, bsc#1196169) https://github.com/libexpat/libexpat/pull/560
Patch16:        %{name}-CVE-2022-25314.patch
# xmlparse.c in Expat before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs
# UPSTREAM-FIX: (CVE-2022-25236, bsc#1196025) https://github.com/libexpat/libexpat/pull/561
Patch17:        %{name}-CVE-2022-25236.patch
# xmltok_impl.c in Expat before 2.4.5 does not check whether a UTF-8 character is valid in a certain context.
# UPSTREAM-FIX: (CVE-2022-25235, bsc#1196026) https://github.com/libexpat/libexpat/pull/562
Patch18:        %{name}-CVE-2022-25235.patch
# [>=2.4.5] Fix to CVE-2022-25236 breaks biboumi, ClairMeta, jxmlease, libwbxml, openleadr-python, rnv, xmltodict
# UPSTREAM-FIX: (CVE-2022-25236, bsc#1196784) https://github.com/libexpat/libexpat/pull/577
Patch19:         %{name}-CVE-2022-25236-relax-fix.patch

# use-after-free in the doContent function in xmlparse.c
# UPSTREAM-FIX: (CVE-2022-40674, bsc#1203438) https://github.com/libexpat/libexpat/commit/4a32da87e931ba54393d465bb77c40b5c33d343b
Patch20:         %{name}-CVE-2022-40674.patch

BuildRequires:  gcc-c++
BuildRequires:  libtool
BuildRequires:  pkgconfig

%description
Expat is an XML parser library written in C. It is a stream-oriented
parser in which an application registers handlers for things the
parser might find in the XML document (like start tags).

%package -n libexpat1
Summary:        XML Parser Toolkit
Group:          System/Libraries

%description -n libexpat1
Expat is an XML parser library written in C. It is a stream-oriented
parser in which an application registers handlers for things the
parser might find in the XML document (like start tags).

%package -n libexpat-devel
Summary:        Development files for expat, an XML parser toolkit
Group:          Development/Libraries/C and C++
Requires:       glibc-devel
Requires:       libexpat1 = %{version}

%description -n libexpat-devel
Expat is an XML parser library written in C. It is a stream-oriented
parser in which an application registers handlers for things the
parser might find in the XML document (like start tags).

This package contains the development headers for the library found
in libexpat.

%prep
%autosetup -p1

cp %{SOURCE1} .
rm -f examples/*.dsp

%build
%configure \
  --disable-silent-rules \
  --without-docbook \
  --docdir="%{_docdir}/%{name}" \
  --disable-static
%if 0%{?do_profiling}
  make %{?_smp_mflags} CFLAGS="%{optflags} %{cflags_profile_generate}"
  make %{?_smp_mflags} CFLAGS="%{optflags} %{cflags_profile_generate}" LDFLAGS="%{optflags} %{cflags_profile_generate}" check
  make %{?_smp_mflags} clean
  make %{?_smp_mflags} CFLAGS="%{optflags} %{cflags_profile_feedback}"
%else
  make %{?_smp_mflags} CFLAGS="%{optflags}"
%endif

%install
%make_install
find %{buildroot} -type f -name "*.la" -delete -print

%check
make %{?_smp_mflags} check

%post -n libexpat1 -p /sbin/ldconfig
%postun -n libexpat1 -p /sbin/ldconfig

%files
%{_docdir}/%{name}
%license COPYING
%doc README.md expatfaq.html
%doc doc/expat.png doc/reference.html doc/style.css doc/valid-xhtml10.png
%doc examples/elements.c examples/outline.c examples/Makefile.am examples/Makefile.in
%doc AUTHORS Changes
%{_mandir}/man?/*
%{_bindir}/xmlwf

%files -n libexpat1
%{_libdir}/libexpat.so.*

%files -n libexpat-devel

%{_includedir}/*
%{_libdir}/libexpat.so
%{_libdir}/pkgconfig/expat.pc

%changelog
openSUSE Build Service is sponsored by